I attended the Virus Bulletin 2009 conference this past week in Geneva, Switzerland and had a pretty good time there. I came away with a number of themes:
- Spam is not going to go away any time soon, but it is not the growth industry in internet abuse that it was 10 years ago. Spammers today are migrating onto other platforms to send abuse, including Black Search-Engine Optimization (Black SEO) and social networking abuse, such as Twitter and Facebook. These attack vectors are newer to the e-security industry and the mechanisms of defense are less well understood compared to spamming.
The spam filtering industry, in terms of techniques, is starting to mature and the effectiveness of spamming is not what it once was compared to the other techniques. This does not mean that spammers will abandon spammers, rather, the other vectors will grow in popularity much faster.
- Social engineering is one of the most popular non-spam abuse techniques. For example, fake antivirus software is one of the tools “spammers” use to trick users into infecting themselves with worms, rogues, trojans, etc. They work by preying on the user’s desire and fear to avoid their PCs getting infected, but instead they are tricked into doing the very thing they wish to avoid.
- Everyone knows that historically, PCs (running Windows) have been the main target of viruses. Yet, that is beginning to shift. Apple is now acknowledging that they can be exploited, and bots exist on Linux as well. It is only a matter of time, as Macs become more popular, that they start to become an even bigger target. And the problem may be magnified by a false sense of security – since Mac users believe that they are immune to viruses (as they are told by Apple themselves, more or less), they will get sloppy about not running antimalware software.
- And finally, I come to the title of this post. Switzerland is a nice place, though very expensive. But when you stay in a hotel near the airport, they give you a free bus pass to go downtown. That’s totally awesome. But, Geneva is built upon a model of trust (kind of like SMTP). I got on the bus and was prepared to hand over my bus pass but no one else did. Everyone was honest! It was assumed that if you got on the bus, then you honest enough to have bought a ticket and no verification was necessary. This is a lot like my post on cheap corn that I wrote a few weeks ago.
As a security professional, I thought to myself that it’d be really easy for me to go ahead and ride the bus for free without buying a ticket. No one checked. It’d be so easy to exploit the trust of someone that expects you to be honest. It’s kind of the opposite of when I rode the trains when I lived in England, it was nearly impossible to ride for free because a ticket-checker always verified whether or not you had bought anything.
But seriously, if I were truly evil and I lived there, I would totally ride the bus without paying for it. Luckily, I neither live there nor am I evil, so I would pay for it.
All in all, a good conference.